MC-119235Item Duplication with Prepare Crafting Grid packet
There is an implementation issue with the "Prepare Crafting Grid" packet. I've tested this with a vanilla 1.12 server but since I don't have the 1.12 source handy I'll be using MCP 9.40.
Start by looking at NetHandlerPlayServer#func_191985_a, the function which handles the "Prepare Crafting Grid" packet.
We want to make sure that field_192618_c of CPacketRecipePlacement is not empty, which triggers the first for loop.
Then, we want to make sure that one of the items is exactly identical to one in our inventory, which causes this.func_193074_a(cpacketrecipeplacement$itemmove.field_192673_a, itemstack) to return true.
We want to make sure that field_192675_c is not -1, causing cpacketrecipeplacement$itemmove.field_192675_c == -1 to return false.
Finally, we make sure that there is already an item in slot field_192675_c, which causes itemstack1.func_190926_b() to return false.
Now, itemstack1.func_190917_f(count); is executed. This line of code increments the count of the item in slot field_192675_c by the amount in the itemstack specified by field_192673_a. The end result is that we convert the items in the crafting grid into the items in slot field_192675_c.
To replicate, simply replace the line within CPacketRecipePlacement which states p_192612_1_.writeByte(cpacketrecipeplacement$itemmove.field_192675_c); with p_192612_1_.writeByte(8);. Then, prepare your inventory as shown in the first screenshot.
Click any recipe in the recipe book that does not directly involve the item in the crafting grid. In my case, I clicked on the bed. The server now takes the count of the items in the crafting grid (16) and adds it to the count of the item in slot 8 (1), setting the new count of the item in slot 8 to be 17. The 16 logs in slot 1 are client side.
As you can imagine, this is a very serious bug, because any item (including shulker boxes) can be duplicated. Furthermore, it is likely that the reverse can also be abused, resulting in items with negative counts.
